Peer pressure

You wouldn’t post customers’ Social Security numbers on your website or stand on the street distributing handbills with hospital patients’ medical information. But if there is improperly configured peer-to-peer (P2P) file-sharing software on a company computer, the result could be about the same. That’s why two FTC settlements deserve your attention.

According to the FTC, EPN – a debt collector whose clients included healthcare institutions, retailers, and commercial credit providers – failed to implement reasonable security measures to protect personal information. Where did the company go wrong? The complaint alleges that P2P software was installed on an EPN desktop computer. Because that computer was connected to EPN’s network, sensitive information (including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients) was available to any computer connected to the P2P network. The FTC charged that EPN’s lapses – not adequately training its staff, not taking reasonable steps to ensure compliance with its security policies, and not using reasonable methods to prevent, detect and investigate unauthorized access on its networks – amounted to unfair practices under the FTC Act.

In a separate action against auto dealer Franklin’s Budget Car Sales – consumers may know them as Georgia-based Franklin Toyota/Scion – the FTC alleged that a P2P application was installed on a computer that was connected to the company’s network. According to the complaint, the company’s failure to implement reasonable security measures allowed sensitive financial information about 95,000 people to be shared by the P2P software. That included consumers’ names, addresses, Social Security Numbers, dates of birth, and drivers’ license numbers.

In its privacy and data security statement, Franklin promised, “We restrict access to non-public personal information about you to only those employees who need to know that information to provide products and services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard non-public personal information.” The FTC alleged that Franklin’s lapses rendered those claims false.

In addition, because Franklin meets the definition of a “financial institution” under the Gramm-Leach-Bliley (GLB) Act, the complaint charged that the company’s security failures violated the GLB Safeguards Rule. Franklin also failed to provide annual privacy notices and failed to offer consumers a mechanism for opting out of having their information shared with third parties, in violation of the GLB Privacy Rule. This is the FTC’s first GLB action against an auto dealer.

What should other companies take from the two cases?

P2P FYI. When improperly configured, P2P software hands the keys to the kingdom to any other computer on that network. Who could be rifling through your files? Maybe it’s a high school kid looking to download games without authorization – or it could be a ring of identity thieves prowling for their next target. A 2010 FTC examination of P2P-related breaches found a treasure trove of sensitive data there for the taking. Worse yet, once a file has been shared, there’s no way to put the toothpaste back in the tube. Even after you delete the file from your computer, it can still be shared. That’s why it’s important to adopt – and follow – a company policy on P2P. Some businesses nix it. Others allow it with appropriate security measures. The decision is yours, but have a policy and make it crystal-clear to your employees. Read Peer-to-Peer File Sharing: A Guide for Business or watch this video to learn more.

Don’t be glib about GLB. Say “financial institution” and most people think of tellers’ cages and savings accounts. But the GLB Act defines the term broadly. Visit the BCP Business Center's GLB page for more on who’s covered and what the GLB Safeguards Rule and Financial Privacy Rule mean for businesses. GLB should definitely be on the compliance checklist for auto dealers. The FTC’s Privacy Rule and Auto Dealers: FAQs is one place to start.

Pleading the case. In data security actions, the FTC often looks to a company’s privacy policy. If the company didn’t honor the promises it made to consumers, the complaint may allege that the statements are false, in violation of the FTC Act. But what if a company says nothing? The FTC may challenge security lapses under the agency’s unfairness jurisdiction. So regardless of the legal specifics of how the case is pleaded, what matters is that companies take reasonable steps to secure sensitive data in their possession.

Add new comment

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.